Adversaries may be deploying web shells or other malicious payloads by writing files to the root directory of web applications, which is a common technique for establishing persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential web application compromises early.
Detection Rule
title: Suspicious File Write to Webapps Root Directory
id: 89c42960-f244-4dad-9151-ae9b1a3287a2
status: experimental
description: |
Detects suspicious file writes to the root directory of web applications, particularly Apache web servers or Tomcat servers.
This may indicate an attempt to deploy malicious files such as web shells or other unauthorized scripts.
references:
- https://labs.watchtowr.com/guess-who-would-be-stupid-enough-to-rob-the-same-vault-twice-pre-auth-rce-chains-in-commvault/
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-10-20
tags:
- attack.persistence
- attack.t1505.003
- attack.initial-access
- attack.t1190
logsource:
product: windows
category: file_event
detection:
# Add more suspicious processes or paths or extensions as needed
selection_susp_img:
Image|endswith:
- '\dotnet.exe'
- '\w3wp.exe'
- '\java.exe'
selection_servers:
TargetFilename|contains:
- '\apache'
- '\tomcat'
selection_path:
TargetFilename|contains: '\webapps\ROOT\'
selection_susp_extensions:
TargetFilename|endswith: '.jsp'
condition: all of selection_*
falsepositives:
- Unknown
level: medium
imFileEvent
| where (TargetFilePath endswith "\\dotnet.exe" or TargetFilePath endswith "\\w3wp.exe" or TargetFilePath endswith "\\java.exe") and (TargetFileName contains "\\apache" or TargetFileName contains "\\tomcat") and TargetFileName contains "\\webapps\\ROOT\\" and TargetFileName endswith ".jsp"Scenario: Scheduled Backup Job Writing to Webapp Root
Description: A legitimate scheduled backup process may write temporary files to the webapp root directory during a backup or restore operation.
Filter/Exclusion: Exclude processes associated with backup tools like Veeam, Commvault, or rsync by checking the process name or command line arguments.
Scenario: Admin Updating Web Application Configuration Files
Description: System administrators may manually update configuration files (e.g., web.xml, httpd.conf) in the webapp root directory as part of routine maintenance.
Filter/Exclusion: Exclude processes with known admin tools like ApacheConfEditor, Tomcat Manager, or VS Code with specific file paths in the webapp root.
Scenario: Log Rotation or File Archiving Task
Description: Log rotation tools like logrotate or rsyslog may write or rotate log files into the webapp root directory, especially if logs are stored there.
Filter/Exclusion: Exclude processes related to logrotate or rsyslog by checking the command line or process name.
Scenario: CI/CD Pipeline Deploying Artifacts
Description: Continuous integration/continuous deployment (CI/CD) pipelines (e.g., Jenkins, GitLab CI) may write deployment artifacts or configuration files to the webapp root during a deployment.
Filter/Exclusion: Exclude processes associated with CI/CD tools by checking the user context (e.g., jenkins, gitlab-runner) or command line arguments.
Scenario: Temporary File Creation by System Services
Description: System services or scripts may create temporary files in the webapp root directory for caching, session storage, or other legitimate purposes.
Filter/Exclusion: Exclude temporary files by checking